What is a DoS/DDoS attack?
A denial of service (DoS) attack is designed to disable an IT system by flooding the system's internet connected equipment with data in order to seriously degrade the performance of the system or cause it to fail because of the sheer load of communications. The attack is designed to prevent or limit use of the IT system by the system's intended or authorised users.
Distributed denial of service (DDoS) attacks are even more dangerous. In a DDoS attack the controller is able to use a botnet (a large number of remote computers, called zombies, which the controller has compromised and controls) to direct internet traffic at the victim with the aim of degrading the victim's network or causing it to fail. In many cases the owners of the zombies do not know that their computer has been compromised and has become part of a botnet.
In the case of DDoS attacks, the number of zombies in a botnet, which are used to direct traffic at a victim site, can number in the many thousands. Large botnets can direct multiple gigabits of data per second at victims. The sheer scale of the attacks that botnets can focus on a victim make it very difficult for victim sites to withstand the attacks. Recent media reports claim that the operators of some botnets are "renting out" the use of their botnet on an hourly or daily basis.
The fact that attacks can be coordinated from any country in the world, using remotely controlled compromised computers, makes it difficult to track down the aggressors and capture them. The comparative ease by which attacks can be launched and the anonymity afforded to the aggressor allows DoS/DDoS attacks to be used by cyber criminals for the purpose of extorting money or extracting data from compromised systems, by hackers who seek notoriety amongst peers ("hacktivism") or by radical organisations or terrorists to promote extreme or radical views or agendas.
The incidence of attacks is increasing. Arbor Networks reported nearly 500 DoS/DDoS attacks worldwide in the 24 hour period preceding the writing of this article. Recently reported targets include Facebook, Twitter, the CIA and the UN. Fairfax has recently reported attacks on Australian sites such as ETrade, MoneyManagement and tradingroom.com.au (a subsidiary of Fairfax itself) as well as government sites such as ACMA, Department of Broadband, Communications and the Digital Economy (DBCDE), the Prime Minister's website and ministerial websites.
DoS/DDoS attacks have the potential to cause significant losses to any Australian business that relies on online sales or that operates a website that involves or depends on high traffic volumes (eg news sites). Any company that uses cloud computing services may also be at risk as a DoS/DDoS attack may limit or preclude access by the company to its own data or business applications.
Apart from the obvious need to ensure that networks are appropriately designed and configured to resist attack and are protected by the most up to date security technology, it is wise to undertake some practical defence planning which will assist you to deal with a DoS/DDoS attack. There are two reasons for doing so:
- it is a sensible and prudent thing to do given the threat now posed by DoS/DDoS attacks
- it will help you demonstrate to regulators or to a court that you have discharged any duty of care that you may owe to third parties (eg customers).
A company that fails to do any planning to address a DoS/DDoS threat may expose itself to a negligence claim if a DoS/DDoS attack is launched against it which causes a third party to suffer a security breach, data loss, privacy loss, loss of supply or other type of loss.
The defence planning steps you should consider include:
- if you have outsourced management of your IT network, check whether your outsourcing agreement requires the provider to respond to and manage your recovery from an attack (not all outsourcing contracts will cover this issue). If the agreement does provide coverage then ask your provider to outline how they would respond to an attack, consider updating your agreed disaster recovery plan to specifically address DoS/DDoS incidents and consider conducting a rehearsal of the plan
- if you are proposing to outsource the management of your network, ask your proposed provider to explain what experience they have in responding to DoS/DDoS attacks. Your outsourcing contract should oblige the provider to actively monitor network traffic and promptly report on unusual events, provide you with a plan (to be updated annually) which outlines in detail how the provider would go about responding to a DoS/DDoS attack and require the provider to undertake regular rehearsals of the plan and report on outcomes
- if you manage your IT network internally, consider developing your own DoS/DDoS defence plan. Also consider making contact with external providers who can help you plan for a DoS/DDoS attack and help you respond to an attack. It is better to do this now than during the turmoil caused by a DoS/DDoS attack
- consider your electronic dependencies with key suppliers. Request those suppliers to provide information on what DoS/DDoS preventative measures they have taken and what planning they have put in place to address the effects of any attack
- consider expressly nominating a DoS/DDoS attack as a force majeure event in your customer terms and conditions as well as specifically excluding liability for site unavailability caused by a DoS/DDoS attack
- consider developing a media engagement plan for dealing with media scrutiny in the event of an attack
- ensure that you remember to promptly report DoS/DDoS incidents to CERT Australia if your business suffers an attack. If you suspect that online transactions have been compromised following an attack you should also promptly contact your financial institution.
The time to prepare is now!
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.